Generating secure roaming user profiles over a network

US 8,955,050 B1
Filed: 11/14/2013
Issued: 02/10/2015
Est. Priority Date: 05/01/2008
Status: Active Grant

First Claim

Patent Images

1. A network device for providing access to a resource over a network, comprising:

a memory arranged to store data and instructions; and

a processor arranged to enable actions embodied by at least a portion of the stored instructions, the actions comprising;

selectively sending an application over the network to a client device, the client device having an operating system, the application configured to provide a secure desktop on the client device, and automatically switching control of the client device to the secure desktop;

wherein access to resources is restricted by the secure desktop to being performed through the secure desktop;

receiving a resource request from the client device to map onto a file system controlled by the secure desktop;

restricting access to a requested resource indicated as being a non-mapped resource to read-only; and

otherwise, enabling a mapping of the requested resource onto the secure desktop, wherein mapping the resource further includes adding to the operating system of the client device a kernel module configured to provide access to the resource; and

when the secure desktop is closed, unmapping the requested resource, and further when the requested resource is cached on the client device, sending the requested resource to a server to synchronize the resource with the server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to providing access to a resource over a network. A client device may request access to a server. An application may be provided to the client device. The application may cause control of the client device to be switched from a first desktop to a secure desktop. The secure desktop may be configured to restrict applications access to within the secure desktop. An indication of the resource on the server to map to may be received at the client device. The indicated resource may be mapped onto a file system on the client device. Mapping may comprise using a remote file access protocol, using DLL injection, or adding a kernel module to an operating system on the client device. The mapped resource may be constrained to be accessed through the secure desktop.

Citations

20 Claims

1. A network device for providing access to a resource over a network, comprising:
- a memory arranged to store data and instructions; and
  
  a processor arranged to enable actions embodied by at least a portion of the stored instructions, the actions comprising;
  
  selectively sending an application over the network to a client device, the client device having an operating system, the application configured to provide a secure desktop on the client device, and automatically switching control of the client device to the secure desktop;
  
  wherein access to resources is restricted by the secure desktop to being performed through the secure desktop;
  
  receiving a resource request from the client device to map onto a file system controlled by the secure desktop;
  
  restricting access to a requested resource indicated as being a non-mapped resource to read-only; and
  
  otherwise, enabling a mapping of the requested resource onto the secure desktop, wherein mapping the resource further includes adding to the operating system of the client device a kernel module configured to provide access to the resource; and
  
  when the secure desktop is closed, unmapping the requested resource, and further when the requested resource is cached on the client device, sending the requested resource to a server to synchronize the resource with the server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The network device of claim 1, wherein the resource is indicated as a non-mapped resource based in part on a comparison of the operating system of the client device and an operating system of the server.
  - 3. The network device of claim 1, wherein the mapping of the resource employs a security sandbox.
  - 4. The network device of claim 1, wherein mapping of the resource further includes routing of a remote file access protocol message, through a secure tunnel.
  - 5. The network device of claim 1, wherein when it is determined that a request to another resource is unauthorized, flagging the request as a security risk.
  - 6. The network device of claim 1, wherein the client device is configured to operate as a public kiosk device and the application enables a roaming user profile to be accessed through the public kiosk device.

7. A non-transitory computer-readable storage device having computer-readable instructions stored thereon, which when executed by at least one processor, causes the at least one processor to perform actions, comprising:
- selectively sending an application to a client device, the client device having an operating system, the application configured to provide a secure desktop on the client device, wherein the application automatically switches control of the client device to the secure desktop;
  
  wherein access to resources is restricted by the secure desktop to be performed through the secure desktop;
  
  receiving a resource request from the client device;
  
  restricting access to a requested resource indicated as being a non-mapped resource to read-only; and
  
  otherwise, enabling a mapping of the requested resource onto the secure desktop, wherein the secure desktop is launched by the application on the client device and wherein the mapped resource is constrained to be accessed through the secure desktop such that the mapped resource appears local to the client device, and wherein mapping the resource further includes adding to the operating system of the client device a kernel module configured to provide access to the resource; and
  
  when the secure desktop is closed, unmapping the resource, and further when the resource is cached on the client device, sending the resource to a server to synchronize the resource with the server.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The storage device of claim 7, wherein mapping the resource includes employing a temporary registry entry within a registry on the client device, the temporary registry entry being mapped to a file resource on the server.
  - 9. The storage device of claim 7, wherein when the secure desktop is closed, further removing the kernel module from the operating system.
  - 10. The storage device of claim 7, wherein the resource is indicated as a non-mapped resource based in part on a comparison of the operating system of the client device and an operating system of the server.
  - 11. The storage device of claim 7, wherein mapping of the resource further includes routing of a remote file access protocol message, through a secure tunnel.
  - 12. The storage device of claim 7, wherein when it is determined that a request to another resource is unauthorized, flagging the request as a security risk.
  - 13. The storage device of claim 7, wherein the client device is configured to operate as a public kiosk device and the application enables a roaming user profile to be accessed through the public kiosk device.

14. A system, comprising:
- a plurality of server devices configured to provide access to a resource; and
  
  a network device having one or more processors that perform actions, including;
  
  selectively sending an application to a client device, the client device having an operating system, the application configured to provide a secure desktop on the client device, wherein the application automatically switches control of the client device to the secure desktop, and wherein the secure desktop is configured to restrict access to resources to be performed through the secure desktop;
  
  receiving a resource request from the client device;
  
  restricting access to a requested resource indicated as being a non-mapped resource to read-only; and
  
  otherwise, enabling a mapping of the resource onto the secure desktop, wherein the secure desktop is launched by the application on the client device and wherein the mapped resource is constrained to be accessed through the secure desktop such that the mapped resource appears local to the client device, and wherein mapping the resource further includes adding to the operating system of the client device a kernel module configured to provide access to the resource; and
  
  when the secure desktop is closed, unmapping the resource, and further when the resource is cached on the client device, sending the resource to a server device in the plurality of servers to synchronize the resource with the server device.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein when the secure desktop is closed, further removing the kernel module from the operating system.
  - 16. The system of claim 14, wherein the application provides application programming interfaces useable to specify which resource is restricted as read-only.
  - 17. The system of claim 14, wherein the resource is indicated as a non-mapped resource is based in part on a comparison of the operating system of the client device and an operating system of the server device.
  - 18. The system of claim 14, wherein when it is determined that a request to another resource is unauthorized, flagging the request as a security risk.
  - 19. The system of claim 14, wherein the client device is configured to operate as a public kiosk device and the application enables a roaming user profile to be accessed through the public kiosk device.
  - 20. The system of claim 14, wherein selectively providing the application is based on a determination that the client device is authorized to access the resource based on at least one of a username/password, an Internet Protocol (IP) address, or a cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Shigapov, Andrey
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
JHAVERI, JAYESH M

Application Number

US14/080,635
Time in Patent Office

453 Days
Field of Search

726/3, 726/4, 726/22, 726 26- 28, 718100-101
US Class Current

726/3
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 9/44   Arrangements for executing ...

G06F 9/451   Execution arrangements for ...

G06F 9/452   Remote windowing, e.g. X-Wi...

G06F 9/455   Emulation; Interpretation; ...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 67/02   based on web technology, e....

H04L 67/025   for remote control or remot...

H04L 67/08   specially adapted for termi...

H04L 67/10   in which an application is ...

H04L 67/1001   for accessing one among a p...

H04L 67/568   Storing data temporarily at...

Generating secure roaming user profiles over a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Generating secure roaming user profiles over a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links